1 00:00:01,000 --> 00:00:03,000 Over the last lectures, 2 00:00:03,000 --> 00:00:05,000 we ensured that we can 3 00:00:05,000 --> 00:00:08,000 log in and log out and create users. 4 00:00:08,000 --> 00:00:11,000 And that we protect certain pages. 5 00:00:11,000 --> 00:00:14,000 And that we control which page can be visited, 6 00:00:14,000 --> 00:00:16,000 if we're locked in or locked out. 7 00:00:16,000 --> 00:00:19,000 That certain pages like the profile page 8 00:00:19,000 --> 00:00:22,000 can't be visited that were redirected automatically. 9 00:00:22,000 --> 00:00:24,000 And all of that works now. 10 00:00:24,000 --> 00:00:28,000 All of that works with help of the Next Auth package, 11 00:00:28,000 --> 00:00:32,000 and the session which it checks for us. 12 00:00:32,000 --> 00:00:34,000 And just to make this really clear, 13 00:00:34,000 --> 00:00:36,000 when I say session here, 14 00:00:36,000 --> 00:00:39,000 I am talking about this json web token. 15 00:00:39,000 --> 00:00:43,000 Which is managed automatically by Next Auth. 16 00:00:43,000 --> 00:00:45,000 Which is stored by Next Auth 17 00:00:45,000 --> 00:00:48,000 in our browser this cookie, 18 00:00:48,000 --> 00:00:51,000 which holds this token is created there. 19 00:00:51,000 --> 00:00:53,000 And Next Auth determines whether 20 00:00:53,000 --> 00:00:55,000 we have an active session, 21 00:00:55,000 --> 00:00:57,000 so if this user is logged in, 22 00:00:57,000 --> 00:01:00,000 by checking that cookie and that token 23 00:01:00,000 --> 00:01:02,000 that's stored in that cookie. 24 00:01:02,000 --> 00:01:05,000 That is what happens when we call getsession here, 25 00:01:05,000 --> 00:01:09,000 or in our main-navigation component 26 00:01:09,000 --> 00:01:11,000 when we use the useSession hook. 27 00:01:11,000 --> 00:01:14,000 And that's what we did up to this point. 28 00:01:14,000 --> 00:01:17,000 Now one crucial feature is missing, 29 00:01:17,000 --> 00:01:21,000 one of the main reasons for adding authentication. 30 00:01:21,000 --> 00:01:26,000 Because having this client site protection here is nice, 31 00:01:26,000 --> 00:01:28,000 protecting certain pages and making sure 32 00:01:28,000 --> 00:01:30,000 we can't reach certain pages, 33 00:01:30,000 --> 00:01:32,000 is all nice and good. 34 00:01:32,000 --> 00:01:34,000 But what really matters, 35 00:01:34,000 --> 00:01:36,000 is what we as a user can do. 36 00:01:36,000 --> 00:01:39,000 Which API routes we can hit. 37 00:01:39,000 --> 00:01:42,000 Here we got this change password example. 38 00:01:42,000 --> 00:01:44,000 But of course for example, 39 00:01:44,000 --> 00:01:45,000 if you're building an online shop, 40 00:01:45,000 --> 00:01:49,000 you might only want to allow logged in users, 41 00:01:49,000 --> 00:01:53,000 to create and delete and manage products. 42 00:01:53,000 --> 00:01:56,000 And in the interface which your website 43 00:01:56,000 --> 00:01:58,000 has for managing those products, 44 00:01:58,000 --> 00:02:01,000 you would be sending requests behind the scenes, 45 00:02:01,000 --> 00:02:04,000 to certain API end points, 46 00:02:04,000 --> 00:02:06,000 certain API routes. 47 00:02:06,000 --> 00:02:10,000 Where those requests then trigger certain operations. 48 00:02:10,000 --> 00:02:12,000 Like the creation of a product 49 00:02:12,000 --> 00:02:15,000 or the deletion of a product. 50 00:02:15,000 --> 00:02:17,000 And of course you want to make sure that, 51 00:02:17,000 --> 00:02:21,000 those requests only trigger those operations, 52 00:02:21,000 --> 00:02:24,000 if they come from authenticated users. 53 00:02:24,000 --> 00:02:28,000 So that if you have API routes in your project, 54 00:02:28,000 --> 00:02:31,000 API routes that do certain operations 55 00:02:31,000 --> 00:02:34,000 that are only allowed for authenticated users, 56 00:02:34,000 --> 00:02:38,000 that in those API routes you also verify, 57 00:02:38,000 --> 00:02:40,000 whether that request is coming 58 00:02:40,000 --> 00:02:43,000 from an authenticated user or not. 59 00:02:43,000 --> 00:02:45,000 Because even if you have full control 60 00:02:45,000 --> 00:02:47,000 over this user interface, 61 00:02:47,000 --> 00:02:52,000 requests to APIs can also be sent with other tools. 62 00:02:53,000 --> 00:02:56,000 From the command line, with tools like Postman 63 00:02:56,000 --> 00:02:59,000 which allows you to create http requests. 64 00:02:59,000 --> 00:03:03,000 So there are ways of sending requests to APIs, 65 00:03:03,000 --> 00:03:06,000 that don't require your website. 66 00:03:06,000 --> 00:03:10,000 And therefore protecting the pages on those websites, 67 00:03:10,000 --> 00:03:13,000 is one thing but we also need protection 68 00:03:13,000 --> 00:03:15,000 in those API routes. 69 00:03:15,000 --> 00:03:18,000 Where we validate incoming requests, 70 00:03:18,000 --> 00:03:21,000 and double check that this request 71 00:03:21,000 --> 00:03:24,000 is coming from an authenticated source. 72 00:03:24,000 --> 00:03:25,000 And I'm emphasizing this here, 73 00:03:25,000 --> 00:03:29,000 because this is another key part of authentication. 74 00:03:29,000 --> 00:03:32,000 It's not just about the client site, 75 00:03:32,000 --> 00:03:34,000 it is also about the server site , 76 00:03:34,000 --> 00:03:36,000 about those API routes. 77 00:03:36,000 --> 00:03:38,000 And that's therefore what we're going to 78 00:03:38,000 --> 00:03:40,000 take a closer look at now.